-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add restrictive filters for every channel and provider name filter. #403
Conversation
rules/0605-win-mcafee_rules.xml
Outdated
@@ -42,34 +42,34 @@ | |||
|
|||
<rule id="62603" level="2"> | |||
<if_sid>62600</if_sid> | |||
<field name="win.system.eventID">$MCAFEE_INFO</field> | |||
<field name="win.system.eventID">$MCAFEE_INFO$</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$MCAFEE_INFO
is a variable defined as <var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
so it is not needed to include the $
character.
rules/0605-win-mcafee_rules.xml
Outdated
<description>McAfee Windows AV informational event</description> | ||
</rule> | ||
|
||
<rule id="62604" level="3"> | ||
<if_sid>62601</if_sid> | ||
<field name="win.system.eventID">$MCAFEE_WARN</field> | ||
<field name="win.system.eventID">$MCAFEE_WARN$</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
rules/0605-win-mcafee_rules.xml
Outdated
<description>McAfee Windows AV warning event</description> | ||
<group>gpg13_4.12,</group> | ||
</rule> | ||
|
||
<rule id="62605" level="4"> | ||
<if_sid>62602</if_sid> | ||
<field name="win.system.eventID">$MCAFEE_ERROR</field> | ||
<field name="win.system.eventID">$MCAFEE_ERROR$</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
rules/0605-win-mcafee_rules.xml
Outdated
<description>McAfee Windows AV error event</description> | ||
<group>gpg13_4.3,</group> | ||
</rule> | ||
|
||
<rule id="62606" level="12"> | ||
<if_sid>62600,62601,62602</if_sid> | ||
<field name="win.system.message">$MCAFEE_VIRUS</field> | ||
<field name="win.system.message">$MCAFEE_VIRUS$</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
rules/0605-win-mcafee_rules.xml
Outdated
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group> | ||
<description>McAfee Windows AV - Virus detected and not removed</description> | ||
</rule> | ||
|
||
<rule id="62607" level="7"> | ||
<if_sid>62606</if_sid> | ||
<field name="win.system.message">$MCAFEE_VIRUS_OK</field> | ||
<field name="win.system.message">$MCAFEE_VIRUS_OK$</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
This PR fixes the issue #401. It adds restrictive characters for every channel and provider name filter.